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Abstract 



Software certification aims at proving tlie correctness of programs but in many cases, the use of 
external libraries allows only a conditional proof: it depends on the assumption that the libraries 
meet their specifications. In particular, a bug in these libraries might still impact the certified 
program, fn this case, the difficulty that arises is to isolate the defective library function and provide 
a counter-example, fn this paper, we show that this problem can be logically formalized as the 
construction of a Herbrand tree for a contradictory universal theory and address it. The solution 
we propose is based on a proof of Herbrand's theorem in the proof assistant Coq. Classical program 
\^ extraction using Krivine's classical realizability then translates this proof into a certified program 

T-H that computes Herbrand trees. Using this tree and calls to the library functions, we are able to 

determine which function is defective and explicitly produce a counter-example to its specification. 



o 

h- ] 1 Introduction 

O Software certification has become in the last decade one of the major applications of computer assisted- 

proofs. This technique decomposes in two stages: the first one is a formalization step where we express 
,-H the program properties we want as logical formulae — call them V — whereas the second one focuses on 

^ proving them, which is usually done within a proof assistant. Provided we trust itrl the assisted proof 

t ■ ensures that the program satisfies its specification V and thus behaves as expected. 

'v_^ However, in real life, programs may depend on external components, and in many situations we do 

_^ not want (lack of time or money) or we are not able to certify them. This is typically the case when we do 

not have access to their implementation, e.g. a piece of proprietary software or a hardware component 
(processor, data acquisition device). In this situation, the correctness of the whole program (such as 
^^ expressed by V) depends on correctness assumptions — call them U — about the external components. In 

T-H practice, the formula we must prove is the implication U ^ V . 

L| Having a proof oi U ^ V gives us no warranty on the correctness of the program with respect to the 

• ^H specification V, it simply means that when a bug report contradicts the specification V., we know that 

^\ at least one of the components does not meet its specification. 

1.1 Motivation: the Static Debugger 

In the case where the certified program runs into a bug (according to V), traditional proof assistants 
provide no tool to track down the bug through the formal proof oi U ^ V to find out which external 
component is defective (according to U) and for which set of parameters — the counter-example. 

The problem we are facing is the problem of experimental modus tollens, that can be summarized by 
the following pseudo-rule. 

Experimental Modus Tollens 



^The confidence that one should have in a proof assistant is not the topic of this paper so we will simply assume it. 



This problem is the fohowing: given a formal proof of the implication U ^ V and a counter-example 
to the property V, how can we find a concrete counter-example to the property U? Here, the difficulty 
comes from the fact that we need to combine objects of two different natures: a formal proof (h [/ => y) 
and an experimental evidence of misbehavior (^ y). 

Notice that we are using the symbol [^ not in its usual meaning: here we do not only want a counter- 
model (which is obvious, a counter-model for V also works for U) but rather a counter-example, i.e. a 
given set of parameters falsifying U. For that, the specifications U and V must be universal, namely Hi 
formulae (or conjunctions thereof), otherwise the very notion of a counter-example does not make sense. 
In practice, this restriction is inoffensive because IIi formulae are enough to express most behavioral 
properties of program^ 

In |Miq09bJ |Miqll| , Miquel proposes a method to solve this problem using the tools of classical real- 
izability [KriOO] . The advantage of this method is that it also works when the proof oiU ^ V is classical, 
using the interpretation of classical reasoning in terms of control operators such as callcc [Gri90j . 

The aim of this paper is to present an alternative solution to this problem based on a formalization 
of Herbrand's theorem in Coq. To present this solution, we first need to dwell on some details of the 
experimental modus tollens. 

1.2 Logical Formalization 

As we have already said, the formulae U and V must be universal. But they are not arithmetical because 
they contain function symbols describing external components and predicate symbols expressing their 
properties. Formally, we simply work in a first-order signature containing these function and predicate 
symbols. (To ensure the concrete effectiveness of the method, we need that these function and predicate 
symbols actually correspond to components and properties that can be concretely tested.) 

Instead of working with the full rule of experimental modus tollens, we shall work with the particular 
case where V is the false formula. 

Experimental Effectiveness 

This rule expresses that from a contradictory theory, we can deduce a counter-example. 

Although the problem of experimental effectiveness is a particular case of the problem of experimental 
modus tollens, they are in fact equivalent. The transformation between these two pseudo-inference rules 
goes as follow: if we denote by Vq the particular instance of V that was experimentally falsified, by 
eliminating the V connectives of V, we can build a proof oi\- V ^ Vq. Combining it with the given proof 
of h [/ => y, we make a proof of C/A^Vg h _L. Using experimental effectiveness, we get a counter-example 
for U A ^Vq. Since we know that Vq is falsified, it is a counter-example for U. 

1.3 Abstracting tests 

The solution presented by Miquel consists in combining the classical A-term extracted from the classical 
proof of [/ h _L with a wrapper embedding extra instructions performing the tests associated with the 
predicate symbols of the first-order signature. In practice, the experimental tests associated with the 
external predicates may be expensive to perform and we would like to remove them. Nevertheless, 
we cannot completely avoid them if we want to find a counter-example, because they appear in the 
specification U we want to falsify and because tests are the only way to get information about them. 

One intermediate solution is to abstract over these tests and consider all possible interpretations 
for the external predicates. Instead of a single counter-example, this will lead to a family of counter- 
examples organized in the form of a Binary Decision Diagram (BDD), whose internal nodes will represent 
the atomic experiments that must be performed in order to reach a counter-example at a leaf. From the 
point of view of logic, this BDD is nothing but a Herbrand tree falsifying the formula U. 

Formally, a Herbrand tree is a finite binary tree whose inner nodes are labeled with atomic formula. 
Intuitively, each branch of such a tree is a partial interpretation of the atomic formulffi which is sufficient 
to determine a counter-example (to the universal theory U) that is placed at the corresponding leaf. 
Given a Herbrand tree and components testing the truth of atomic formulae, it is easy to extract the 



^Program properties are usually of the form "for all possible inputs, there is a specific relation between an input and 
the corresponding program output" 



desired counter-example using the tree as a BDD: go down in the tree by testing encountered atomic 
formulae and entering the sub-tree corresponding to the result of the test, until reaching a leaf. 

1.4 Extracting Herbrand trees from a proof of Herbrand's theorem 

It is well-known in logic that any universal formula U that is contradictory has a Herbrand tree. 
Theorem 1. — If U is a universal inconsistent theory, then U has a Herbrand tree. 

This theorem exactly solves our problem: find a counter-example (abstracted over the interpretations 
of atomic formulae) for a contradictory universal theory. The only trouble is that we simply have the 
existence of Herbrand trees whereas we want an explicit procedure to build them. To get round this 
difficulty, we propose to build a proof of Herbrand's theorem in a proof-assistant and to extract it to a 
program computing Herbrand trees. Since the usual proof of Herbrand's theorem is classical, we need 
a classical extraction mechanism. This currently only exists for the Coq proof assistant (CDTlOj as the 
classical extraction module kextraction |Miq09a| based on Krivine's classical realizability |Kri09j . 

The methodology we propose in this paper is to formalize a (classical) proof of Herbrand's theorem 
in Coq, apply it to a proof of contradiction of some universal theory U and extract the resulting theorem 
(expressing the existence of a Herbrand tree for U) through classical extraction. The execution of this 
extracted term will finally lead to the tree we look for. 

1.5 Outline of the paper 

The most difficult part of the presented methodology is the proof of Herbrand's theorem in Coq. It will 
be the topic of the first two sections, the first one focusing on a reformulation of Herbrand's theorem in 
a suitable statement for Coq manipulation and the second one dwelling in the details of the formalized 
proof. The next section explains how to connect the formalized proof of Herbrand's theorem with 
a contradiction proof of a universal theory in order to get a theorem expressing the existence of a 
Herbrand tree. The fifth section focuses on the last steps of our methodology: classical extraction in 
Coq and evaluation of the extracted term. Finally, the sixth section presents an completely different 
approach to the problem of building Herbrand trees, using a customized classical realizability. 

2 Expressing Herbrand's theorem in Coq 

2.1 Making Herbrand's theorem Coq friendly 

Instead of using the proof-theoretic assumption of having a proof of contradiction L/ h _L for a theory [/, 
we rather use its model-theoretic counterpart, i.e. a proof of its inconsistency h V^, ^ ^ U. Neverthe- 
less, this new statement is not very convenient to use in Coq because it requires to express model theory 
in Coq which we would rather avoid. In this section, we shall explain how to transform the hypothesis 
of Herbrand's theorem into a more suitable statement for manipulation with Coq. 
First of all, because C/ is a finite universal theory, we can write it as 

n 

U = l\ Va;i . . .Vxfe^,Cj(a;i, . . . ,a;fej 

where n is the size of the theory and the Ci are quantifier-free formulae with hi variables built from atomic 
formulae with the usual logical connectives. The hypothesis V^, ^ \^ U is then classically equivalent 
to 

where |^| is the carrier of the interpretation ^. In order to have only one existential quantifier, we 
merge the parameters i and 17 by introducing the dependent sum 

n 
index = ^ \^\^' = {(«,^)l^ e Kl*''} 



so that we can rewrite our hypothesis as 

\/^,3i : index, ^ \f C7rj(i)(7r2(i)). 

At this point, we observe that we are not fully using the Gj but only their ground instances Cj{v). 
So instead of manipulating a full syntax containing terms and atomic formulae built upon terms and 
arbitrary predicates, we can simply abstract the syntax by an abstract data type atom representing 
atomic formulae. With such an atom data type, we build quantifier-free formulas as the elements of the 
Boolean algebra generated by the atoms, a data type we will call compound. 

c, d : compound ::= a \ cAd \ cM d \ ^c 

where a € atom. We express the dependency on the index i of the compound associated with C7rj^(i)(7r2(i)) 
by a function Th : index — >■ compound. Therefore, we now have the following representation in Coq: 

y^, 3i : index, ^ \^ Thi 

where atom abstracts the signature and index and Th abstract the universal theory U . 

Finally, since an interpretation ^ is only defined by its values over the atoms (we no longer have 
terms, so we are back to propositional calculus), we can take it to be a function from atom to Prop. 
Extending it in the straightforward way to compound (with a function eval : (atom — )• Prop) — > compound — >■ 
Prop) and generalizing over atom, index and the theory (i.e. over Th), we get this final statement as the 
hypothesis of Herbrand's theorem: 

Vatom, 

Vindex, VTh : index — > compound, 

yval : atom — > Prop, ^(Vi : index, eval wa/ (Thi)) 

We will now illustrate this transformation on two simple examples. 

2.2 The White Crow example 

This first example is built upon a signature containing three unary predicate symbols Crow, Black and 
White, whose intended meaning is obvious. The individuals are a countable number of birds represented 
by integers. 
Our ornithology says: 

1. every crow is black, Vn, ^ Crow n V Black n 

2. a bird cannot be both black and white; Vn, ^(Black n A White n) 
whereas experimental observations have concluded that: 

3. the bird 42 is a crow. Crow 42 

4. the bird 42 is white; White 42 
so that the White Crow theory will be 

(Vn, ^ Crown V Black n) A (Vn, ^ (Black n A Whiten)) A (Crow 42) A (White 42). 

Atoms represent atomic formulae of the signature. In this case, atomic formulae are threefold and ranges 
over the set {Crow(n),Black(n), White(n) | n G N}. Therefore, the set of atoms can be taken to be 
{Cn,Bn,Wn \ Ti G N} whcrc the C„, B^ and Wn are constants. The set of indices is the disjoint union 
of the set of parameters of the axioms of the theory: 

{(1, n) I n e N} U {(2, n) I n e N} U {(3, 0)} U {(4, 0)} 

Finally, Th translates an index into the corresponding compound: 



Thi 



^C„\/B,, ifz-(l,n) 

^(Br^AWn) ifi=(2,n) 

C42 ifz = (3,0) 

W42 if t = (4, 0) 



2.3 The pseudo-induction example 

The second example is even simpler: from one constant symbol a, a unique function symbol / of arity 1 
and one unary predicate symbol P, we build the following theory: 

(V.T, P{x) ^ P{f{x))) A Pia) A -P(/(/(a))). 

Since we have only one predicate symbol, the set of atoms is {P{t) | t is a term} = {P(/"(a)) | n S N} 
written {o„ | n S N}. The set of indices is {(l,i) | t is a term}U{(2, 0)}U{ (3,0)} and is more conveniently 
expressed as {(1, n) | n G N} U {2, 3}. The theory is then described by the function 

^a„ Va„+i if i = (l,n) 
Thi= { ao Hi = 2 

^03 if i = 3 

3 A proof of Herbrand's theorem in Coq 

Let us first recall the usual proof of Herbrand's theorem. 

Theorem 2. If U is a universal inconsistent theory, then U has a Herbrand tree. 

Proof. Let us fix an enumeration (a„)„gpf of the atomic formulae built upon the signature of U. We 
consider the infinite binary tree enumerating these atoms in the order given by (a„)„gN: this tree has 2" 
nodes at depth n each labeled by a„. By definition, any infinite branch contains all the atoms and can 
be seen as an interpretation of the signature of U. Pick one infinite branch. Since U is inconsistent, this 
interpretation is not a model of U and thus induces a contradiction in U. By compactness, only a finite 
number of atomic formulae are used to reach this contradiction, thus we can cut this infinite branch at 
finite depth while keeping the contradiction and any interpretation extending this partial interpretation 
will contain the same contradiction. We conclude using Konig's lemma to get a finite tree. D 

This proof is classical because we use Konig's lemma. Since we want to extract the proof we will 
build, we use the proof assistant Coq for which a classical extraction module exists |Miq09a| and we 
cannot afford ourselves to use theorems or axioms we do not know how to realize. This means we cannot 
directly use Konig's lemma in our proof, unless we prove it before. Its most standard proof goes by 
contradiction and proves the equivalence between being an infinite tree and having an infinite branch. 
Formalizing this proof requires to have a representation of infinite trees in Coq which we would rather 
avoid. The solution we employ is to avoid a direct use of Konig's lemma but rather "inline" its proof to 
reach the contradiction. 

3.1 The idea of our proof 

The proof uses reductio ad ahsurdum to emulate Konig's lemma. We will assume inconsistency of the 
theory U and the absence of Herbrand trees for U . With these two hypotheses, we will show that any 
partial interpretation (of the atoms) consistent with U can be extended to a bigger partial interpretation 
still consistent with U . By iterating this process from the empty partial interpretation (which is obviously 
consistent with U), we will build incrementally a model of U, thus contradicting our hypothesis of 
inconsistency. 

3.2 Design choices 

Recalling the transformation of section [STT] we see that there are cross-dependencies between on the one 
hand (user-provided) abstract data types — atom and index — and hypotheses — the inconsistency proof — 
and on the other hand the data types — compound, etc. — built by the proof. Regarding extraction, since 
we do not want to parametrize every proof by all these arguments, we use Coq typeclasses. They allow 
almost transparent usage of the abstract data types through the Context construction. They also ease 
the representation of several Boolean equalities and orders by allowing overloading and make the final 
theorem very easy to use since appropriate instances are automatically found whenever they exist. 



3.3 The structure of the proof 

The overall architecture of the proof is reflected in the file dependencies of the Coq development shown 
on Fig. [Tl The first two files Common and Optioned_Bool are preliminary files and will not be discussed. 
Similarly, the file order_N is not part of the proof itself but rather consists of tools to help users create 
the required data types atom and index. The dashed edge represents a false dependency that exists only 



to build the instance of ThType (c/. Section 3.5) at once. 

Optioned_Bool Some useful functions on the type option bool 

Common Common tactics and some properties over relations 

Orders Definition of the decidable equality and orders classes 

Definitions Definitions of all data types: atom, index, compound, path, tree 

Valuations Evaluation of a compound in a partial or total interpretation 

iA_ordering Definition of the order on the dependent pairs (i,a) 

good.bad The actual proof 

order _N User tools to build instances of the order classes from a countable set 




Figure 1: The Coq development architecture 



3.4 Decidable orders and equalities 

The proof requires decidable equality and ordering tests over several abstract data types, like atom or 
index, in order to effectively compare them. The following classes will each extend the previous one, 
adding extra properties that will be necessary for some types. For efficient computation, all tests are 
implemented as Boolean functions with a correctness proof. Note that it is not equivalent to use rich 
types containing specifications because in classical extraction such annotations are not removed, contrary 



to intuitionistic realizability (c/. Section 5.2). 

Class DecEq (T : Type) := { 

eq : T — >• T — >• bool; 

eq_correct : Vai a2 , eq ai a2 = true i — > ai = a2}-. 
Notation "A =B" := (eq A B = true) (at level 40). 
Notation "A ^B" := (eq A B = false) (at level 40). 
Notation "A =' B" := (eq A B) (at level 39). 



This first class simply defines a decidable (Boolean) Leibniz equality together with some notations for 
easier use. 

Class DecOrd {T : Type} '{Eq : DecEqual T} := { 

It : T ^ T ^ bool; 

lt_irrefl : Va, It a a = false; 

lt_trans : Vai 3.2 as, It ai 3.2 = true — > It a2 as = true — ?> It ai as = true}. 
Notation "A <B" := (It A B = true) (at level 40). 
Notation "A <B" := (It A B = false) (at level 40). 
Notation "A <'-B" := (It A B) (at level 39). 

This second class defines a decidable strict order on types which already have a decidable equality. We 
introduce some extra notations to match mathematical habits. 

Class TDWFOrd {T : Type} '{DecOrder T} := ■[ 
dec : Vai a2 : T, -[ai <a2} + {ai = a2} + ■[a2 <ai}; 
wf : V(P : Pred T) , (V x, (V y , y < x -^ P y) ^ P x) -^ Vx, P x} . 

where Pred T is the type T — ^ Prop of predicates over T. This third class adds totality and well-foundedness 
to the previous order class. 

Class MinPredDrder -[T : Type} '{TDWFDrder T} := ■[ 
minimum : T; 

minimum_OK : Vt , minimum < t ; 
pred : T — >■ T; 

pred_is_less : Vt , (pred t) <t; 
pred_is_sup : Vai a2 , ai <C; a2 — >■ ai < (pred a2) ; 
pred_is_id : Va, (pred a) = a — ^ a = minimum}. 

This last class defines a decidable total well-founded order with a predecessor function, which basically 
amounts to being isomorphic to natural numbers. Since there will be only one instance of this class, 
namely the index data type, and since we will also need a minimum on this type, for the sake of 
convenience we add it explicitly here although it could already be defined in the TDWFOrd class. 

Each of these classes comes with an extended twin that contains proofs of useful common properties. 
An instance automatically builds the extended version from the basic one. For instance, the TDWFOrd 
class extends into a class TDWFOrder asserting some equivalences and the minimum principle. 

Class TDWFOrder -[T : Type} '{TDWFOrd T} := ■[ 
lt_nleq : Vai a2 , ai ^ a2 < — > ^2 ^ ai ; 
nlt_leq : Vai a2 , ai <^ a2 < — > a2 < ai ; 
min_princ : V(P : Pred T) , (3 a, P a) — > (3 a, P a AVb, P b ^ a <b)}. 

This mechanism is used to define a non-strict order from an equality and a strict order (thus extending 
the DecOrd class) and prove its usual properties. Of course, it also comes with its own notations. 

3.5 The abstract data types 

Having all the tools we need to start, we first describe the hypotheses of Herbrand's theorem {i.e. the 



user input) as classes. We encounter again the different data types we discussed in section 2.1 



Class Atom := { 
atom : Set ; 
AtomEq :> DecEq atom}. 

Atom is an abstract data type representing the atomic formulae of our theory, on which we can test 
equalities so that during evaluation of an atom, we can effectively test whether it appears or not in a 
partial interpretation. 

Class Index := { 
index : Set ; 
IndexEq :> DecEq index; 
IndexOrd :> DecOrd (E := IndexEq); 
IndexTDWFOrd : > TDWFOrd (E : = IndexOrd) ; 
IndexMPOrder :> MinPrevOrder (HO := IndexTDWFOrd); 
lt_unbounded : Vii : index, 3i2, ii <Ci2}- 



The index data type represents the parameters of the universal theory we consider. As will appear later 



in the proof (c/. Section 3.7), we need an decidable order and a predecessor for this type, hence we need 
it to be an instance of MinPredOrder. The final requirement lt_unbouiided is for the sake of simplicity. 
Were it wrong, there would only be a finite number of indices, thus a finite number of atoms and one 
could represent all possible interpretations in a finite tree, rendering Herbrand's theorem useless. 

Class ThType := {. 
Th : index — >■ compound; 
Th_absurd : Vval, ^(V i, eval val (Th i))}. 

Finally, we reach the real hypothesis of our theorem: the theory and its proof of inconsistency. We 
recall that compound is the data type representing quantifier-free formulae. It should be noted that this 
representation encompasses slightly more than universal formulae since we do not have any requirement 
of uniformity for Th. Nevertheless, the Herbrand theorem we prove is equivalent to the usual one. 

3.6 Internal data types: interpretations 

Let us first introduce a data type we have already used, compound, representing quantifier-free formula. 
It is simply the Boolean algebra generated by the atoms. 

Inductive compound '{Atom} : Set := 
I Atomic (a : atom) 
I And (cl c2 : compound) 
I Or (cl c2 : compound) 
I Not (c : compound) . 

With this type, we can build the most important data type: partial interpretations. 

Inductive path : Set := 
I Top 

I Left (a : atom) (p : path) 
I Right (a : atom) (p : path) . 

It represents both partial interpretations and (reverse) paths in a Herbrand tree. Its Left constructor 
indicates that the atomic formula denoted by the atom a is true in this partial interpretation. Conversely, 
the Right constructor matches false atoms and Top denotes the empty partial interpretation. Containing 
only finite objects, this type naturally comes with a decidable equality (structural equality is decidable 
because atom equality is) and we can partially order it by extension, thus it is an instance of the DecOrd 
class. Using its equality, we build partial evaluation functions which evaluate atoms and compounds. 

Fixpoint find : path — >■ atom — > option bool. 
Fixpoint peval : path — > compound — ?> option bool. 

The first function is exactly partial interpretation on atomic formulae whereas the second one is its 
straightforward extension to quantifier-free formulae. Their results may be undefined when a required 
atom is not in the partial interpretation denoted by the path, hence the use of the type option bool. 

The last data type is of anecdotal importance and will be used only at the very end of the proof. It 
is a straightforward tree that will be used to build the final Herbrand tree once we know it exists. 

Inductive Tree : Set := 
I Contrad : index — > Tree 
I Exp : atom — > Tree — > Tree — > Tree . 

3.7 Creating the order on dependent pair {i, a) 

Because compounds contain only a finite number of atoms, we can order the atoms appearing in one 
compound through a traversal of the given compound. By definition this order is total, and being finite 
it is also decidable and well-founded, i.e. an instance of the TDWFOrd class. Combining it lexicographically 
with the order on index, we get a total decidable well-founded order over the dependent pairs {i, a) with a 
belonging to Thi. In what follows, we denote such dependent pairs by («, a), omitting the side-condition 
a e Thz. Since index has a predecessor function and since a compound contains a finite number of 
atoms, we can define a predecessor function on the set of pairs {i,a). Yet giving an explicit predecessor 
for a given pair {i,a) requires some work and is defined by cases: 



• 1*^' case: there is a predecessor in Thi. To check this, we: 

1. compute the list of all atoms appearing in Thi (it defines the order on Thi) 

2. find the element following a in the list if it exists 

• 2'"* case: a is the minimal atom in Thi and i is not the minimum index. We take the maximal 
element of Th(predi). 

• 3'''^ case: a is the minimal atom of Thi and i is the minimum index. In this case, the pair (i, a) is 
the minimum of our order. By convention, we return {i,a). 

The motivation for creating this order is to have an order on atoms compatible with the one on indices. 
In addition, given j G index we have a small finite initial segment pj of the order (in fact, the smallest 
possible) containing all atoms a of all pairs (i, a) whose index i is smaller than j. 

3.8 The proof itself 

The essence of the proof lies in the refiection |Bou97| of the existence and structure of a Herbrand 
sub-tree in the inductive predicate good: 

Inductive good p : Prop := 
I good_leaf : Vi , peval p (Th i) = Some false — >■ good p 
I good_node : Va, find p a = None — > good (Left a p) — > good (Right a p) — > good p. 

In substance, a term of type good p is the sub-tree at the position defined by p of a Herbrand tree for 
Th. Indeed, the first branch of this inductive predicate expresses that we are at a leaf, i.e. there exists 
a contradiction in the theory denoted by Th at the axiom Thi. On the contrary, the second branch 
expresses that we are at an inner node, i.e. we can add an atom a to the current path (associated to 
either true or false) and these paths have Herbrand sub-trees. Furthermore, this tree contains the proof 
of its correctness as annotations at each node. From a proof of good Top, it will then be trivial to extract 
a Herbrand tree by dropping the proof annotations and prove its correctness, giving the conclusion of our 
formalized theorem: 3t : tree, Htree Th t = true where Htree is a decision function for the property 
"t is a Herbrand tree for Th" . 

Going by contradiction, our proof starts by negating this property for the empty path. Negating the 
branches of the inductive, ^(good p) is classically equivalent to the following conjunction of formula. 

(Vi, peval pi (Thi) ^ Some false) A (Va, findpa 7^ NoneV^good(Left ap) V ^good(Right ap)) 

Note that this predicate implies in particular that p does not interpret any Thi as false. Since p is a 
finite path, there exists an atom a not appearing in p. For a reason that will appear later, let us take 
the minimal one. Beware that this operation is not innocent because it requires the minimum principle 
which is classical theorem. Now we have the following implication: 

3a, findpa = NoneA(V6, findp6 = None =^ a < 6)a , , 

-goodp^ (^good(Leftap)V-good(Rightap)) ^' 

With this formulation, one can see that it is possible to extend the path p into Left ap or Right ap 
still satisfying ^ good. What we have to do now is to iterate this construction to get an infinite branch. 
Yet, this process is not constructive because of the existential quantifier so we cannot iterate it directly: 
from a path we only obtain a path predicate and not a concrete path. Embedding paths into singleton 
path predicates, i.e. translating p into fun p' =>p' = p, we have path predicates that are isomorphic 
to paths. Modifying the predicate ^ good and the formula [T] to accommodate this new representation, 
the extension can be written as a function Rextend from singleton path predicates to singleton path 
predicates. We can then iterate it starting from the empty path predicate fun p ^ p = Top to get an 
increasing sequence u_chain of path predicates, all satisfying the predicate ^ good because Top does by 
hypothesis. Finally, we take the union u of this increasing sequence to have the infinite branch we want. 

Definition Rextend : Pred path — > Pred path. 

Definition u_chain : nat — >■ Pred path. 

Definition u : Pred path := fun p => 3n, u_chain n p. 



What remains to prove is that u defines a model of t/ = Vi : index, Thz. In fact, we do not know 
whether u contains all atoms because only the ones appearing in a Thi were considered, so we cannot 
even say that u is a complete interpretation since there is a whole bunch of atoms that u says nothing 
about. However, these atoms are not relevant to us and we can arbitrarily interpret them without 
modifying the interpretation of U. The reason for this is that, in the extension process, we always take 
the minimal element not already in the path, ensuring that we do not forget any necessary atom. Let 
u* be an interpretation extending u. As u* is a complete interpretation, it cannot satisfy all Thi at 
the same time since U has no model. Let iq be an index such that u* interprets Th«o as false. Then 
u also interprets Thzo as false. But by definition of u, this means there exists an n S N such that the 
singleton path predicate u_chain n interprets Thzp as false. The only element of u_chain n is the n^^ 
extension of the empty path which has length n. Therefore we have a finite prefix p of m which interprets 
Thio as false. But by construction, p satisfies ^good and hence cannot interpret any Thz as false, a 
contradiction. 

4 The wrapper of Herbrand's theorem proof 

The premise of the experimental effectiveness rule is C/ h _L which is not the hypothesis of Herbrand's 
theorem we have chosen (which is V^, ^ |^ U) . The bridge between the two statement is simply the 
correctness theorem which precisely states that the former implies the latter. Nevertheless, what we 
want to achieve in this section is a complete automated procedure to transform a Coq proof of C/ h _L 
into the hypothesis we use in Coq for Herbrand's theorem, thus skipping over the intermediate step of 



V^,^ ^ U presented in section 2.1 Being finite and universal, U can be written Ai=i^^i ^i(^)- ^^ 
this formulation, we implicitly say that we make no assumption over the signature on which U is built. 
To express this in Coq, we need to generalize over all symbols of the signature, which gives the following 
statement: 

V/_^ yP_^^ l(/\Va;,a(x) 

function symbols predicate symbols \ axioms 

To remove these new quantifications without loss of generality, we interpret the function symbols in 
the syntax: we build the free algebra of closed terms, the Herbrand universe. When we introduce the 




atom data type (c/. Section 2.1), we replace both the predicate symbols and all atomic formulae by the 
Herbrand base, i.e. all ground instances of the predicates. Substituting the finite family of axioms by 
the indexing data type index and the function Th : index — > compound, we reach the precise statement of 
Herbrand's theorem formalized in Coq: 

Vatom, Vindex, VTh, 

(V val : atom — > Prop, ^ (V i : index, eval val (Th i))) — ^ 
3t : tree, Htree Th t = true. 

where Htree is a decision procedure testing whether a tree t is a Herbrand tree for a theory Th. Notice 
that this transformation is intuitionistic so that any use of classical logic in the extracted realizer comes 
either from the proof of contradiction of the universal theory U or from the proof of Herbrand's theorem 
but not from the intermediate wrappers. 

5 Classical extraction 

The extraction of a Herbrand tree from a classical proof of its existence formalized in Coq is achieved in 
two stages as depicted by the following diagram. 

adequacy witness extraction , ^^ rn 

proof M *- realizer Al *- program Al 1 

where T is a suitable post-wrapper. 

The first stage of the extraction process consists in translating the proof-term M of the Sj-formula 
3t : tree, Htree Th t = true expressed in the calculus of inductive constructions (CIC [CDTlOj ) into 
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a classical realizer M* (of the same formula) expressed in Krivine's Ac-calculus. The correctness of 
this translation relies on the property of adequacy established in |Miq07| , and its main interest is that 
it is able to deal with classical axioms such as the law of excluded middle (in Prop) or the axiom of 
proof-irrelevance . 

The second stage consists in applying the classical A-term M* to a post-wrapper T whose aim is to 
turn the realizer M* into a program M*T that computes the Herbrand tree effectively, using the Sj'- 
extraction technique described in |MiqlO| . Evaluating the Ac-term M*T in Krivine's Abstract Machine 
then produces the desired tree. 

Let us now consider the different ingredients of the extraction process more precisely. 



5.1 Ac-calculus: syntax and evaluation 

The Ac-calculus is the programming language to which we will extract the proof. The Ac-calculus extends 
the pure A-calculus |Chu411 IBar84j with the control instruction callcc ('call with current continuation') 
and continuation constants fc^ |Kri09] . Unlike the pure A-calculus, evaluation proceeds in the Ac-calculus 
according to the call-by-name strategy, using Krivine's Abstract Machine (KAM). 

Formally, the Ac-language distinguishes three kinds of syntactic entities — terms, stacks and pro- 
cesses — that are mutually defined as follows; 



terms 
stacks 
processes 



t,u : 


■= 


X 1 


tu 


TT : 


:= 


a 1 


t-TT 


P ■ 


:= 


t-k-r: 





Xx.t 



callcc 



(The reader is referred to |Kri09[ [MiqlO| for a more formal presentation of the language.) 

Terms of the Ac-calculus contain the usual constructions of the A-calculus plus the callcc instruction, 
reified stacks A;^ (saved by callcc) and possibly many more instructions {i.e. term constants). Stacks {i.e. 
evaluation contexts) are finite lists of closed terms ended with specific stack bottoms a. In this paper, 
we shall consider only one stack bottom nil, so that stacks are exactly finite lists of terms. Finally, a 
process is simply a term put against a stack, ready for evaluation. 

One of the main features of the Ac-calculus is that it can be freely enriched with extra instructions 
coming with their own evaluation rules. An example of such an extra-instruction is the instruction quote 
that can be used to realize the axiom of dependent choices |Kri03| . For this reason, the relation of 
evaluation of the Ac-calculus is not defined, but axiomatized with the following four rules: 

(Grab) Xx. t -k u ■ it 

(Push) tu -k TT 

(Save) callcc k t ■ n 

(Restore) k^^ k t ■ tt' 

The rules (Grab) and (Push) describe the evaluation of pure A-tcrms according to the call-by-name 
strategy, whereas the rules (Save) and (Restore) describe the save-and-restore mechanism performed by 
the instruction callcc and continuation constants fc^. 

The main results of the theory of classical realizability (such as the property of adequacy |Kri09[ 
|Miq07| ) are not tied to a particular relation of evaluation, but they more generally hold for any relation 
of evaluation that fulfills the above four axioms. In some situations it is desirable to consider extra 
axioms describing the computational behavior of extra instructions, that can be used either to realize 
formulae that could not be realized otherwise (see |Kri03] for instance), or simply to provide more 
efficient versions of realizers. (A typical example (c/. Section 5.4 1 is the introduction of instructions for 
manipulating primitive integers such as described in |MiqlO|.) 



>- 


t[u/x] -k n 


)~ 


t kc U ■ TT 


)~ 


t k k^ ■' 


)~ 


t k TT 



5.2 Extraction function 

The first stage of the extraction process consists in translating any CIC proof-term Ad of a proposition A 
into a Ac-term M* that realizes the formula A in the suitable realizability model. The adequacy of 
this translation is justified |Miq07| by a classical realizability model that extends Krivine's classical 
realizability model for classical second-order Peano Arithmetic |Kri09| to the calculus of constructions 
with universes enriched with classical reasoning at the level of the sort Prop of propositions. 



11 



Basically, the extraction function M i-> M* extracts the computationally relevant parts of the classical 
proof-term M. This translation is trivial on the constructions of the A-calculus: variables are translated 
as themselves, as well as application and abstraction (removing the type annotation in the latter case). 
On the other hand, all types are collapsed to an inert constant written .type, thus reflecting the fact 
that types are computationally irrelevant, in the sense that they cannot appear in head position during 
the evaluation of a proof. (Types are only important at the logical level, where they play the role of 
specifications.) 

In this setting, the principles of classical logic are deduced from the law of Peirce, which is itself 
translated as the instruction callcc. For instance, the law of excluded middle can be deduced in Coq 
from the law of Peirce by the following proof-term: 

Definition excl_mid : VP, P V ^P := 
fun P ^Peirce (P V^P) 

(fun k => or_intror P (^P) (fun p => k (or_introl P (^P) p) ) ) . 

Through the extraction process, this proof term becomes the following Ac-term 

Define excl_mid 

A_ . callcc (Ak. or_intror* .type .type (Ap. k (or_introl* .type .type p))) ;; 

whith or_intror* and or_introl* the Ac-terms extracted from the constructors or_intror and or_introl, 
respectively. Notice that Peirce's law is translated as callcc, while the dummy constant .type is inserted 
at each place where a type is expected. 

The extraction function M (->■ M* used in this work is also extended to inductively defined data 
structures, pattern matching and functions defined by Fixpoint. The adequacy of the extended extrac- 
tion function M i— >■ M* is justified by an extension of the realizability model presented in |Miq07| to 
the CIC, an extension that we shall not describe here. (Actually, it is not necessary to interpret the 
full mechanism of inductive definition of CIC, but only the constructions pertaining to the inductively 
defined type families that are used in the actual proof.) 

Technically, inductively defined data structures are translated using standard second-order encodings. 
For instance, the three constructors of the following inductive definition 

Inductive foo pi P2 := 
I Ci : foo pi p2 
I C2 a : foo pi p2 
I C3 bi b2 bs : foo pi p2 

are translated into the following Ac-terms: 

Define Ci = Api Ap2 Aei Ae2 Aea ei ; ; 

Define C2 = Api Ap2 Aa Aei Ae2 Aea e2 a ; ; 

Define C3 = Api Ap2 Abi Ab2 Abs Aei Ae2 Aea 63 bi b2 b3 ; ; 

(using the syntax of the Jivaro head reduction machine |Miq09c[ ). As we can see, these terms take 
the parameters of the inductive, the arguments of their constructor (if any), the eliminators for all 
constructors and they use the eliminator matching their constructor on their arguments. Thus, a term of 
type foo P1P2 can be understood as a case analyzer, so that pattern matching on an inductively defined 
data structure can be simply translated as an application. 

5.3 Witness extraction 

One of the main properties of the classical realizability model described in |Miq07| (as well as of its 
extension to the CIC) is that its second-order fragment is isomorphic to the classical realizability model 
of classical second-order Peano arithmetic such as originally defined by Krivine |Kri09] . For this reason, 
all the witness extraction techniques described in |MiqlO| — which only apply to realizers of arithmetic 
formulae — automatically extend to all realizers coming from proof-terms in CIC via the extraction func- 
tion M ^ M*. 

In order to extract Herbrand trees, we use the Ej'-witness extraction technique |MiqlO| , that consists 
in taking a classical realizer M* of a E^-formula 3x : D , f x = and applying it to a suitable post- 
wrapper T whose aim is to extract the witness hidden in the classical realizer M* . In practice, the 
Ac-term T is simply defined by 

T = S (AxAy y (stop x)) 
12 



where stop is an instruction that retrieves the result and aborts computation, and where S is a storage 
operator |Kri94) whose implementation only depends on the representation of objects of type D in the Ac- 
calculus. 

Storage operators can be understood as a technique to force a call-by-value evaluation in the call- 
by-name setting of the KAM. Their idea is to decompose the term in order to force its evaluation and 
rebuild it as a value. More precisely, they extend a function defined on values to a function defined on 
all terms reducing to a previously accepted value. For instance, the storage operator for our type tree is 

Define Mtree ft 
(t 

(Mindex (Ai f (Trees .Contrad i))) 

(Matom (Aa Mtree (Ati Mtree (At2 f (Trees. Exp a ti t2)))))) ;; 

It depends on two other realizers Mindex and Matom for the types index and atom respectively that are 
omitted here but follow a similar pattern. 

5.4 Realizer optimization 

By definition, extracted terms follow the structure of the proofs they come from. Although correct, this 
sometimes turns out to be completely inefficient. For instance, Krivine's classical realizability interprets 
true equalities between natural numbers as the identity. This implies that proofs of equalities are com- 
putationally equivalent to the identity. Yet, the terms extracted from these may be much more involved, 
using for instance induction and pattern-matching, meaning that the realizers of this kind of proofs 
destruct their argument before constructing it back, which obviously leads to inefficient computation. 

The idea of realizer optimization is to replace some of the extracted realizers by more efficient ones. 
However, we must ensure that the new realizer has the same computational content as the old one, i.e. 
that it also realizes the theorem satisfied by the old realizer. This simple mechanism provides complexity 
improvements at the scale of the order of magnitude because it can replace functions using unnecessary 
recursive calls (thus linear functions) to constant-time functions. Experimentation on the White Crow 
theory confirms these results: we move from a quadratic time-complexity to a linear one. 

A deeper but heavier optimization technique also exists: changing the representation of one data 
type into a more efficient one (in the sense of time- and/or space-complexities). It requires to modify 
all constructors and destructors of the old data type to produce and use optimized data but also all 
re-implement the functions using or returning objects of this data type to benefit from the improvement. 
Finally, we need realizers of the logical implications between the two data types which will compute the 
conversions between the two representations. 

The best example of such optimization is natural numbers: in Coq they are inductively defined as 
unary integers (according to Peano's axioms) whereas we want to use the primitive binary representation. 
If we only change the constructors (i.e. the constant and the successor function) and the destructor 
(i.e. pattern-matching), we will have integers stored as binary words but they will still be used as unary 
integers, e.g. with a recursive definition for addition. Therefore, we also need to replace all arithmetical 
operations by their binary counterparts in order to enjoy a time improvement. The interested reader can 
have a look at |Miq09b[ pp. 95-98] for more information. 

6 Another solution: direct implementation 

6.1 Intuitive presentation 

Instead of extracting Herbrand's theorem, there is a more direct way to build Herbrand trees. This 
solution has already been presented and proved correct in |Miq09b| pp. 98-104], so here we shall focus 
more on its intuition and implementation. Although faster, the implementation of this solution is not 
certified, contrary to the extraction method. 

Informally, the computational meaning of the realizer of the contradiction proof of U 

n 

U \- J- i.e. /y Vxi . ..Vxfc,Ci(xi,.. .,a;fcj h _L 
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is to use realizers of the axioms Va;i . . . Vxfc; Ci {xi , . . . , Xfe. ) to find a contradiction. The realizers of theses 
axioms themselves depend only on the realizers of the atomic formulas. (Realizers of the logical connec- 
tives have a known computational meaning.) Thus, given realizers for the atomic formulas appearing 
in [/, we can find a contradiction for U . But the realizers of atomic formula depend only on the truth of 
the atoms, so that if we interpret atoms as equalities, there are as many set of realizers for the atoms as 
interpretations. Thus, by changing the realizers of atomic formula, we change the interpretation, hence 
we change the construction of the contradiction. 

The overall idea of this method is to evaluate directly the realizer of the contradiction proof and try 
several realizers for the atomic formulae {i.e. several interpretations) while doing so. Indeed, with one 
set of realizers for the atoms we only get one interpretation and thus only one path of our tree. So if we 
try different sets of realizers, we will eventually cover all branches of the tree we want to build. 

In order to do this, we add a scheduler on top of the KAM. It will fork the currently evaluated process 
each time a new atomic formula is encountered and give to the new threads the two different realizers for 
this atom. Doing this for every atom the contradiction proof encounters, we will cover the relevant part 
of all interpretations. More precisely, each process now has a local knowledge base K associating truth 
values (or the corresponding realizers) to atoms. When evaluation reaches the realizer of an atom a not 
present in K^ we duplicate the current process, adding a associated to true to the knowledge base of one 
branch and associated to false in the other. 

p, K p, K 

A 

p, Ki p, K2 

where Ki = K IJ {(a, true)} and K2 = K [J {(a, false)}. If the atom is already present in K, we simply 
put in head position the realizer corresponding to its truth value in K. 

In this regard, atom realizers can be seen as "system calls" that wake up the scheduler, fork the 
current thread, modify the knowledge base of both new threads and run them in parallel. The built 
tree is exactly the execution tree of the realizer of the contradiction proof when we consider all possible 
realizers for the atoms, i.e. the execution tree when we consider all interpretations, with extra labels on 
the leaves for the counter-example, that is a Herbrand tree. See Fig. [2] for the example of the White 
Crow theory. 





Figure 2: The five construction steps for one White Crow Herbrand tree 



6.2 Current implementation 

First of all, we need determinism in order to keep the simple extraction function described in section 
5.2 so we will have to explicitly fork and schedule all the sub-processes that will appear. The current 
implementation uses a modified version of the Ac head reduction machine Jivaro |Miq09c adding two 
global stores zipper and cont that survive backtracks. The first one contains a zipper |Hue97j of the 



(partial) Herbrand tree being built and the second one contains the continuation of the construction of 
the tree. If the inner nodes of the zipped tree are labeled by atoms (just like a Herbrand tree), its leaves 
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are threefold: either a contradiction (as in a standard Herbrand tree) , a frozen process (some computation 
that remains to be done) or the working node to which is attached the process being evaluated. 

The reason why we need the cont store is simply that evaluation ends a branch when we reach 
a realizer of _L, i.e. an inconsistent state in which there can be anything on the stack and all future 
computation are meaningless. As long as the tree is not complete, there is still an incomplete branch, so 
we can switch evaluation to this pending process. When we complete the tree, we are in an inconsistent 
state but have no other process to switch to, so we need to restore a continuation previously stored, 
hence the existence of the cont store. 

In this framework, the knowledge base is the reverse path connecting the current node (i.e. the 
working node ) to the root of the tree. It contains all atoms that were previously evaluated before 
reaching the current process, so the position of the current process in the tree gives its knowledge base 
if we see the tree as a BDD. 

We add five new instructions to the terms of the Ac-calculus: test, contradict, reset, finish and 
save, together with the following new reduction rules. 

test -k a ■ Ui ■ U2 ■ T^ >- Ui -k TT 
test • a • Ul • M2 • TT >- U2 * TT 

contradict -k t ■ n >- u' -k n' 

reset -k k ■ n >- k -k n 

finish -k TT >- c -k t ■ TT 

save -k C ■ k ■ TT >~ k -k TT 

We can see that the intuitive meaning of these new rules (notably forking the current process) does not 
appear here. Furthermore, the first two rules seem concurrent but are not: they will occur in disjoint 
circumstances. The reason for this is that the intended behavior of these rule is (partly) external to the 
KAM, so their interest lies in their side effects, listed below, which are completely transparent to the 
evaluation relation. 

• I''' rule: no side effect but occurs only when the atom a is present in the current knowledge base 
and is associated to true; 

• 2"^^ rule: 

— either the atom a is already evaluated to false inside the current knowledge base and there is 
no side effect; 

— or the atom a has never been encounter before. In this case, we extend the tree by replacing 
the current working node by Node (a, Frozen {u\,tv), Working_Node) , expressing that we just 
made a decision for the realizer of a and that we continue on the false branch having previously 
stored the process (ui,7r) corresponding to the true branch; 

• 3'''^ rule: ends the current branch with a contradiction labeled by t and switch to another pending 
thread u'*7r' (i.e. a leaf Frozen(M',7r') in the zipped tree) if there is one, otherwise calls finish tt; 

• 4"^ rule: empties the content of the zipper store; 

• 5"^ rule: applies the content of the cont store to the zipped tree; 

• 6"^ rule: put c into the cont store. 

The overall behavior of such a program is to build the Herbrand tree right-to-left (because we first 
choose the false sub-tree) by extending the current branch until reaching a contradiction. It then switches 
to the next branch and repeat this process till completion of the tree. The termination is ensured by 
the adequacy theorem of classical realizability because the executed term is extracted from a Coq proof 
(see Miq09b| for more details). 



6.3 Concrete usage of the program 

We run the program in the modified KAM by applying the realizer extracted from the contradiction proof 
of the theory U to realizers of the axioms of C/, automatically generated from their Coq statements. Thus, 
a common Ac-term for computing a Herbrand tree of the White Crow theory is the following: 
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Define eval_tree proof k 
Define crow_test 
eval_tree 

(Top.crow_Th .type .type 
print 



save (Mtree k) proof 



.type Top.CB Top.nBW Top.C42 Top.W42) 



where Top . crow_Th is the reahzer extracted from the contradiction proof, Mtree is a storage operator for 
the tree data type and Top.CB, Top.nBW, Top.C42 and Top.W42 are reahzers of the four axioms of the White 
Crow theory (built automatically by a Coq tactic). 

We have introduced a macro eval_tree for a complete transparent usage of the tree construction 
program. Since crow_Th is extracted from Coq, it requires three dummy parameters (the predicates 
Crow, Black and White of type nat — > Prop) represented by the constant .type. The instruction print 
is a Jivaro primitive which prints its argument as a term and can be replaced by any retrieving term for 
the tree. 



7 Future works 

It would be interesting to understand what is the precise computational behavior of the extracted proof 
and see whether it is possible to remove the linear dependency (c/. Section 5.4) that appears in the 
White Crow example. It is probably connected to the choice of the order on indices and a clever order 
putting the counter-example index and atoms first would probably run much faster. 

In the long run, developing a theory of realizer optimization is definitely worth the effort, considering 
the complexity improvements involved. In this sense, what could be an analog of Harrop formulas, 
known to have no computational meaning in intuitionistic realizability, in Krivine's framework? The 
objective would be to have a wide-enough class of formula (including at least implications between 
atomic equalities) for which an optimized realizer could be automatically substituted during extraction 
based on the shape of the formula. 



The idea of the second method has been proved correct in |Miq09b but the current implementation 
which features explicit scheduling and no parallelism remains to be formally proved. It would also be 
interesting to know if we can embed it into standard classical realizability without a scheduler. For plain 
realizability, it is impossible since nothing can survive a backtrack but if we allow global stores, we expect 
it to be doable considering the current implementation. 
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